Introduction
The present invention is directed to communication networking, and in particular to techniques for installing new network devices without the need to reprogram routing information or modify existing network devices.
It is safe to say that an efficiently running communication network is now an absolute necessity for almost any business enterprise. The proliferation of inexpensive Personal Computers (PCs) and ubiquitous networking infrastructure has done much to improve personal productivity over the past several decades. Many Information Technology (IT) professionals spend their time installing network infrastructure, as well as connecting new devices and reconfiguring existing devices in the network.
Network Addressing Schemes
For example, proper installation of a New Network Device (NND) requires configuring different network addresses before the device can begin to communicate—in particular, addresses need to be assigned to the new device in such a manner as to avoid conflicts with existing devices. It can therefore become difficult for administrative users to configure devices so that no two share the same address.
The most common networking protocols are Transmission Control Protocol/Internet Protocol (TCP/IP), which are transport/network layer protocols, and Media-Access Control (MAC) protocol, used at the so-called link layer. The typical device connected to a network thus needs two unique address. One is the address of its network interface or MAC address. The MAC address, in theory, is a globally-unique and unchangeable address which is stored in the equipment hardware. MAC addresses are necessary so that the Ethernet protocol can send data independent of whatever higher layer application protocols are used on top of it. The Ethernet is principally responsible for building “frames” of data consisting of 1500 by blocks. Each frame has an Ethernet header containing the MAC address of the source computer and the MAC address of the destination computer.
A second address required for each computer is typically an IP address. IP is a network layer protocol that allows application layer software to communicate without regard to the exact network technology used. Each computer on a network must, therefore, also have a unique IP address so that application layer software can communicate. IP addresses are virtual and are typically assigned via software.
IP and Ethernet addressing schemes must work together to deliver data from a source to a destination. IP communicates by constructing “packets” which are similar to frames, but which have a different structure. Packets cannot be delivered without network layer processing. In the most common case, they are delivered by the Ethernet layer, which splits the packets into frames adding an Ethernet header, for and sending them along a physical path (which may be wired or wireless) to a switch. The switch then decides which port to send the frame to, by comparing the destination MAC address of the frame to an internal table which maps port numbers to MAC addresses.
Address Resolution Protocol (ARP)
However, at the time of constructing a frame, an Ethernet layer processor has no idea what the MAC address of the destination machine is, which it needs to create an Ethernet header. The only information it has available is the destination IP address, taken from the packet header that the IP application software provided. Therefore, some way must be provided for the Ethernet packet processor to find the MAC address of a destination machine, given the destination's IP address.
This is where the Address Resolution Protocol (ARP) finds use. ARP is a network protocol which maps a network layer address to a data link layer address. For example, ARP can be used to resolve an IP address to a corresponding MAC layer Ethernet address.
ARP operates by sending out a special type of packet called a “ARP request”. An ARP requests asks the question, “Is your IP address x.x.x.x”? “If so, send your MAC address back to me.” These packets are broadcast to all computers on a (LAN), even on a switched network.
Each computer receiving an ARP request examines it to see if it is currently assigned to a specific IP. If so, it sends a specialized reply packet called an “ARP reply” containing the corresponding MAC address. To minimize the number of ARP packets being broadcast, operating systems typically keep a cache of ARP reply messages. When a computer receives an ARP reply, it will update its ARP cache with a new IP/MAC pair association. As ARP is a stateless protocol, most operating systems will update their ARP cache wherever a reply is received, regardless of whether they have sent out an ARP request.
When an ARP needs to resolve a given IP address to an Ethernet address, it thus broadcasts an ARP request packet. The ARP request contains a source MAC address, a source IP address, and a destination IP address. Each host in the local network then receives the ARP request packet. The host with the specified destination IP address sends an ARP reply packet to the originating host with its MAC address.
In the event a host is not able to obtain a MAC address for a particular IP address, it will then resort to using other protocols such as a Domain Name Service (DNS) protocol, to obtain the IP address of another host, which may be remotely located. For remote accesses, a local network router typically maintains a cache of a such IP/MAC mappings for remotely located machines.
ARP Spoofing
ARP spoofing is a technique that is used to exploit the interaction of IP and Ethernet protocols in order to attack a network. By sending a forged ARP reply packet, a target computer can be convinced to send frames destined for a first computer to instead go to a second computer controlled by a malicious attacker. This can be done in such a way that the first computer has no idea that redirection to the second malicious computer is taking place. The process of updating a target computer's ARP cache with a forged entry is referred to as ARP cache “poisoning”. A so-called man-in-the-middle attack (MiM) can be performed with a malicious user inserting his computer between the communication path of two target computers. The malicious computer forwards frames between the two target computers so that communications are not interrupted, and so that neither of the targets are aware of the attack. The attack is performed with the attacker poisoning the ARP cache of both the source and destination computer, associating the destination computers and source computers IP with its own MAC layer address. All of the target computer's IP traffic will then be routed to the attacker's computer instead of directly to one another. More information on ARP spoofing can be obtained in the paper by Whalen, S., “An Introduction to ARP Spoofing”, April, 2001.